## Last changed: 2012-02-19 15:11:58 GMT version 11.4R1.6; system { host-name router; domain-name mydomain.co.uk; domain-search mydomain.co.uk; time-zone Europe/London; root-authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxxxxx"; } name-server { 212.159.13.49; 212.159.13.50; 192.168.253.230; } services { ssh { protocol-version v2; connection-limit 3; } telnet; xnm-clear-text; dns { max-cache-ttl 600; max-ncache-ttl 300; forwarders { 212.159.13.49; 212.159.13.50; } } web-management { inactive: management-url jweb; module-mode; http { interface vlan.0; } https { system-generated-certificate; interface fe-0/0/0.0; } session { idle-timeout 30; session-limit 4; } } dhcp { maximum-lease-time 10800; default-lease-time 10800; domain-name mydomain.co.uk; name-server { 192.168.253.230; 212.159.13.49; 212.159.13.50; } domain-search { mydomain.co.uk; } boot-server 192.168.253.219; pool 192.168.252.0/24 { address-range low 192.168.252.1 high 192.168.252.253; router { 192.168.252.254; } server-identifier 192.168.252.254; } pool 192.168.253.0/24 { address-range low 192.168.253.80 high 192.168.253.99; router { 192.168.253.254; } server-identifier 192.168.253.254; } static-binding 00:0c:42:70:31:11 { fixed-address { 192.168.253.99; } host-name routerboard.mydomain.co.uk; } } } syslog { archive size 100k files 3; user * { any emergency; } host 192.168.253.219 { any any; authorization info; security any; change-log any; interactive-commands error; inactive: match RT_FLOW_SESSION; port 514; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { boot-server 192.168.253.219; server 192.168.253.219; server 192.168.253.230; } } interfaces { fe-0/0/0 { description "Connection to Internet via Zyxel ADSL Router. Modem Management IP xxx.xxx.xxx.xxx"; unit 0 { family inet { xxx.xxx.xxx.xx6/29; xxx.xxx.xxx.xx7/29; } } } fe-0/0/1 { description ""; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/2 { description ""; speed 100m; link-mode full-duplex; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/3 { description "Interface connected to Grandstream GXP2020 SIP Phone via POE"; speed 100m; link-mode full-duplex; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/4 { description "Interface connected to Juniper SA700 SSL VPN LAN Port 192.168.253.253"; speed 100m; link-mode full-duplex; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } fe-0/0/5 { description "DMZ Interface connected to Juniper SA700 SSL VPN WAN Port 192.168.252.253"; speed 100m; link-mode full-duplex; unit 0 { family ethernet-switching { vlan { members DMZ_VLAN; } } } } fe-0/0/6 { description "DMZ Interface connected to Vodafone Sure Signal 192.168.252.1"; speed 100m; link-mode full-duplex; unit 0 { family ethernet-switching { vlan { members DMZ_VLAN; } } } } fe-0/0/7 { description "Interface connected to Dell Switch Port 1"; speed 100m; link-mode full-duplex; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } st0 { unit 0 { family inet; } } vlan { unit 0 { family inet { sampling { input; output; } address 192.168.253.254/24; } } unit 1 { family inet { sampling { input; output; } address 192.168.252.254/24; } } } } forwarding-options { sampling { input { rate 60; } family inet { output { flow-server 192.168.253.219 { port 2055; version 5; } } } } } snmp { description Router; location Office; contact "ME"; community public { authorization read-only; clients { 192.168.253.0/24; } } } routing-options { static { route 0.0.0.0/0 next-hop yyy.yyy.yyy.yyy; route 192.168.0.0/24 next-hop st0.0; } } protocols { stp; } security { log { cache; mode event; } key-protection; ike { proposal ike-proposal-cfgr { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } proposal ike-proposal-aes-256 { authentication-method pre-shared-keys; dh-group group5; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } policy ike-policy-cfgr { mode main; proposals ike-proposal-aes-256; pre-shared-key ascii-text "IPSEC PSK SITE 2 SITE"; } policy ike_pol_wizard_dyn_vpn { mode aggressive; proposals ike-proposal-cfgr; pre-shared-key ascii-text "DYNAMIC VPN PSK"; } gateway ike-gate-cfgr { ike-policy ike-policy-cfgr; address 1.1.1.1; ##remote site to site IPSEC IP address dead-peer-detection { interval 30; threshold 2; } external-interface fe-0/0/0; general-ikeid; version v1-only; } gateway gw_wizard_dyn_vpn { ike-policy ike_pol_wizard_dyn_vpn; dynamic { hostname router.mydomain.co.uk; connections-limit 2; ike-user-type group-ike-id; } external-interface fe-0/0/0.0; xauth access-profile remote_access_profile; } } ipsec { vpn-monitor-options { interval 10; threshold 10; } proposal ipsec-proposal-cfgr { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 3600; } proposal ipsec-proposal-aes-256 { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm aes-256-cbc; lifetime-seconds 14400; } policy ipsec-policy-cfgr { perfect-forward-secrecy { keys group5; } proposals ipsec-proposal-aes-256; } policy ipsec_pol_wizard_dyn_vpn { perfect-forward-secrecy { keys group5; } proposals ipsec-proposal-cfgr; } vpn ipsec-vpn-cfgr { bind-interface st0.0; ike { gateway ike-gate-cfgr; idle-time 120; proxy-identity { local 192.168.253.0/24; remote 192.168.0.0/24; } ipsec-policy ipsec-policy-cfgr; } establish-tunnels on-traffic; } vpn wizard_dyn_vpn { ike { gateway gw_wizard_dyn_vpn; ipsec-policy ipsec_pol_wizard_dyn_vpn; } } } alg { ike-esp-nat { enable; } } dynamic-vpn { access-profile remote_access_profile; clients { wizard-dyn-group { remote-protected-resources { 192.168.253.0/24; 192.168.252.0/24; } remote-exceptions { 0.0.0.0/0; } ipsec-vpn wizard_dyn_vpn; user { john; } } } } flow { allow-dns-reply; syn-flood-protection-mode syn-cookie; tcp-mss { all-tcp { mss 1492; } ipsec-vpn { mss 1472; } } tcp-session { rst-sequence-check; strict-syn-check; } } screen { ids-option untrust-screen { icmp { large; ping-death; } ip { bad-option; security-option; inactive: spoofing; source-route-option; strict-source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; winnuke; } } } nat { source { pool ADSL_WAN_IP_1 { address { xxx.xxx.xxx.6/32; } } pool ADSL_WAN_IP_2 { address { xxx.xxx.xxx.7/32; } } rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } rule trust-source-nat-rule { match { source-address 192.168.253.0/24; } then { source-nat { pool { ADSL_WAN_IP_1; } } } } } rule-set DMZ_to_untrust { from zone DMZ_ZONE; to zone untrust; rule dmz-source-nat-rule { match { source-address 192.168.252.0/24; } then { source-nat { pool { ADSL_WAN_IP_2; } } } } } } destination { pool DSTNAT-SSL-VPN-LAN { address 192.168.252.253/32 port 443; } rule-set PAT_FROM_UNTRUST_TO_TRUST { from zone untrust; rule PAT_SSL_VPN { match { destination-address xxx.xxx.xxx.xx7/32; destination-port 443; } then { destination-nat pool DSTNAT-SSL-VPN-LAN; } } } } proxy-arp { interface vlan.0 { address { 192.168.253.170/32 to 192.168.253.179/32; } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust-allow-DNS { match { source-address addr_192_168_253_0_24; destination-address any; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; count; } } policy trust-to-untrust-allow-http { match { source-address addr_192_168_253_0_24; destination-address any; application junos-http; } then { permit { } count; } } policy trust-to-untrust-allow-HTTPS { match { source-address addr_192_168_253_0_24; destination-address any; application junos-https; } then { permit; count; } } policy trust-to-any-allow-email { match { source-address addr_192_168_253_0_24; destination-address any; application [ junos-pop3 junos-imap junos-smtp ]; } then { permit { } count; } } policy trust-to-untrust-allow-ftp { match { source-address addr_192_168_253_0_24; destination-address any; application junos-ftp; } then { permit { } count; } } policy trust-to-any-allow-ALL { match { source-address addr_192_168_253_0_24; destination-address any; application any; } then { permit; count; } } } from-zone DMZ_ZONE to-zone untrust { policy DMZVLAN-to-untrust { match { source-address addr_192_168_252_0_24; destination-address any; application any; } then { permit; count; } } } from-zone trust to-zone DMZ_ZONE { policy Allow_John_to_DMZ_VLAN { match { source-address JOHN; destination-address addr_192_168_252_0_24; application any; } then { permit; count; } } } from-zone DMZ_ZONE to-zone trust { policy DMZ_VLAN_ALLOW_NTP { match { source-address addr_192_168_252_0_24; destination-address zeroshell; application junos-ntp; } then { permit; count; } } policy DMZ_VLAN_ALLOW_SYSLOG_TO_SERVER { match { source-address addr_192_168_252_0_24; destination-address SERVER; application junos-syslog; } then { permit; count; } } policy DMZ_VLAN_ALLOW_DNS { match { source-address addr_192_168_252_0_24; destination-address zeroshell; application [ junos-dns-udp junos-dns-tcp ]; } then { permit; count; } } } from-zone untrust to-zone DMZ_ZONE { policy WAN_SSL_ALLOW { match { source-address any; destination-address SSL-VPN-WAN; application junos-https; } then { permit; } } } from-zone untrust to-zone trust { policy policy_in_wizard_dyn_vpn { match { source-address any; destination-address any; application any; } then { permit { tunnel { ipsec-vpn wizard_dyn_vpn; } } count; } } } from-zone trust to-zone jbvpn { policy trust-jbvpn-cfgr { match { source-address addr_192_168_253_0_24; destination-address addr_192_168_0_0_24; application any; } then { permit; count; } } } from-zone jbvpn to-zone trust { policy jbvpn-trust-cfgr { match { source-address addr_192_168_0_0_24; destination-address addr_192_168_253_0_24; application any; } then { permit; count; } } } default-policy { deny-all; } } zones { security-zone trust { address-book { address addr_192_168_253_0_24 192.168.253.0/24; address LAN-DHCP-80 192.168.253.80/32; address LAN-DHCP-81 192.168.253.81/32; address LAN-DHCP-82 192.168.253.82/32; address LAN-DHCP-83 192.168.253.83/32; address LAN-DHCP-84 192.168.253.84/32; address LAN-DHCP-86 192.168.253.86/32; address LAN-DHCP-87 192.168.253.87/32; address LAN-DHCP-88 192.168.253.88/32; address LAN-DHCP-89 192.168.253.89/32; address LAN-DHCP-90 192.168.253.90/32; address LAN-DHCP-91 192.168.253.91/32; address LAN-DHCP-92 192.168.253.92/32; address LAN-DHCP-93 192.168.253.93/32; address LAN-DHCP-94 192.168.253.94/32; address LAN-DHCP-95 192.168.253.95/32; address LAN-DHCP-96 192.168.253.96/32; address LAN-DHCP-97 192.168.253.97/32; address LAN-DHCP-98 192.168.253.98/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-160 192.168.253.160/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-161 192.168.253.161/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-162 192.168.253.162/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-163 192.168.253.163/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-164 192.168.253.164/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-165 192.168.253.165/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-166 192.168.253.166/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-167 192.168.253.167/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-168 192.168.253.168/32; address USER-UNDEFINED-SSL-VPN-PROXY-ARP-169 192.168.253.169/32; address SRX100-VPN-PROXY-ARP-USER-170 192.168.253.170/32; address SRX100-VPN-PROXY-ARP-USER-171 192.168.253.171/32; address SRX100-VPN-PROXY-ARP-USER-172 192.168.253.172/32; address SRX100-VPN-PROXY-ARP-USER-173 192.168.253.173/32; address SRX100-VPN-PROXY-ARP-USER-174 192.168.253.174/32; address SRX100-VPN-PROXY-ARP-USER-175 192.168.253.175/32; address SRX100-VPN-PROXY-ARP-USER-176 192.168.253.176/32; address SRX100-VPN-PROXY-ARP-USER-177 192.168.253.177/32; address SRX100-VPN-PROXY-ARP-USER-178 192.168.253.178/32; address SRX100-VPN-PROXY-ARP-USER-179 192.168.253.179/32; address SSL-VPN-PROXY-ARP-180 192.168.253.180/32; address SSL-VPN-PROXY-ARP-181 192.168.253.181/32; address SSL-VPN-PROXY-ARP-182 192.168.253.182/32; address SSL-VPN-PROXY-ARP-183 192.168.253.183/32; address SSL-VPN-PROXY-ARP-184 192.168.253.184/32; address SSL-VPN-PROXY-ARP-185 192.168.253.185/32; address SSL-VPN-PROXY-ARP-186 192.168.253.186/32; address SSL-VPN-PROXY-ARP-187 192.168.253.187/32; address SSL-VPN-PROXY-ARP-188 192.168.253.188/32; address SSL-VPN-PROXY-ARP-189 192.168.253.189/32; address SERVER 192.168.253.219/32; address zeroshell 192.168.253.230/32; address router 192.168.253.254/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0 { host-inbound-traffic { system-services { all; } } } } } security-zone untrust { address-book { address adsl.mydomain.co.uk xxx.xxx.xxx.xx5/32; } screen untrust-screen; interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { dhcp; https; ike; } } } } } security-zone jbvpn { address-book { address addr_192_168_0_0_24 192.168.0.0/24; } interfaces { st0.0; } } security-zone junos-host; security-zone DMZ_ZONE { address-book { address vag 192.168.252.1/32; address SSL-VPN-WAN 192.168.252.253/32; address addr_192_168_252_0_24 192.168.252.0/24; address addr_192_168_253_0_24 192.168.253.0/24; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.1; fe-0/0/5.0; fe-0/0/6.0; } } } } access { profile remote_access_profile { client john { firewall-user { password "dynamic vpn password"; } } address-assignment { pool dyn-vpn-address-pool; } } address-assignment { pool dyn-vpn-address-pool { family inet { network 192.168.253.0/24; range dvpn-range { low 192.168.253.170; high 192.168.253.179; } dhcp-attributes { domain-name mydomain.co.uk; name-server { 192.168.253.230; } wins-server { 192.168.253.219; } } xauth-attributes { primary-dns 192.168.253.230/32; primary-wins 192.168.253.219/32; } } } } firewall-authentication { web-authentication { default-profile remote_access_profile; } } } smtp { primary-server { address 192.168.253.219; login "server@mydomain.co.uk" { password "xxxxxxxxxxx"; } } } vlans { DMZ_VLAN { vlan-id 2; l3-interface vlan.1; } vlan-trust { vlan-id 3; l3-interface vlan.0; } }